Secure Shell: Facts, Discussion Forum, and Encyclopedia Article

All Topics

Secure Shell

	Email		Print
	Bookmark		Link

	Secure Shell
	Home Discussion
	Topics Secure Shell Topic Home Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channelSecure channel In cryptography, a secure channel is a method or technique assumed to provide means by which data can be transferred from on... between two networked devices. Used primarily on LinuxFacts About Linux Linux is a Unix-like computer operating system.... and UnixUnix Unix or UNIX is a computer operating system originally developed in the 1960s and 1970s by a group of AT&T Bell Labs e... based systems to access shell accountShell account A shell account is a personal account that gives a user access to a Unix shell on another machine.... s, SSH was designed as a replacement for TELNETTELNET TELNET is a network protocol used on the Internet or local area network LAN connections.... and other insecureComputer security Computer security is a field of computer science concerned with the control of risks related to computer use.... remote shellShell (computing) In computing, a shell is a piece of software that provides an interface for users.... s, which sent information, notably passwordPassword A password is a form of secret authentication data that is used to control access to a resource.... s, in plaintextPlaintext In cryptography, plaintext is information used as input to an encryption algorithm; the output is termed ciphertext.... , leaving them open to interception. The encryptionEncryption In cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge.... used by SSH provides confidentiality and integrity of data over an insecure network, such as the InternetInternet The Internet is the worldwide, publicly accessible network of interconnected computer networks that transmit data by packet ... . Definition SSH uses public-key cryptographyPublic-key cryptography Overview Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior ... to authenticateAuthentication Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the ... the remote computer and allow the remote computer to authenticate the user, if necessary. SSH is typically used to log into a remote machine and execute commands, but it also supports tunnelingTunneling protocol A tunneling protocol is a network protocol which encapsulates one protocol or session inside another.... , forwarding arbitrary TCPTransmission Control Protocol The Transmission Control Protocol is one of the core protocols of the Internet protocol suite.... portTCP and UDP port In the TCP and UDP protocols used in computer networking, a port is a special number present in the header of a data packe... s and X11 connections; it can transfer files using the associated SFTPSSH file transfer protocol In computing, the SSH File Transfer Protocol or SFTP is a network protocol that provides file transfer and manipulatio... or SCPSecure copy Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host or between two... protocols. SSH uses the client-server protocolClient-server protocol In computing, a client-server protocol is a protocol in which there is a single server which listens for connections, usuall... . An SSH serverServer (computing) In information technology, a server is a computer system that provides services to other computing systems—called clie... , by default, listens on the standard TCP port 22. An SSH clientClient (computing) A client is a computer system that accesses a service on another computer by some kind of network.... program is typically used for establishing connections to an SSH daemonDaemon (computer software) Overview In Unix and other computer multitasking operating systems, a daemon is a computer program that runs in the background, rathe... accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS XMac OS X Mac OS X is a line of proprietary, graphical operating systems developed, marketed, and sold by Apple Computer, the latest ... , LinuxFacts About Linux Linux is a Unix-like computer operating system.... , FreeBSDFreeBSD colspan="2" \| FreeBSD\|-\| colspan="2" style="text-align:center;" \| br/>br />FreeBSD welcome screen... , Solaris and OpenVMSOpenVMS OpenVMS is the name of a high-end computer server operating system that runs on the VAX and Alpha family of computers devel... . ProprietaryProprietary software Proprietary software is software that has restrictions on using and copying it, usually enforced by a proprietor.... , freewareFacts About Freeware Freeware is copyrighted computer software which is made available for use free of charge, for an unlimited time, as opposed ... and open sourceOpen-source software Open-source software is computer software whose source code is available under a copyright license that permits users to stu... versions of various levels of complexity and completeness exist. Uses of SSH SSH is most commonly used: with an SSH client that supports terminal protocolsTerminal emulator A terminal emulator, terminal application, term, or tty for short, is a program that emulates a "dumb" vid... , for remote administrationRemote administration Remote administration refers to any method of controlling a computer from a remote location.... of the SSH server computer via terminal (character-mode) console; in combination with SFTPSSH file transfer protocol In computing, the SSH File Transfer Protocol or SFTP is a network protocol that provides file transfer and manipulatio... , as a secure alternative to FTPFile Transfer Protocol FTP or file transfer protocol is a commonly used protocol for exchanging files over any network that supports the TCP/... which can be set up more easily on a small scale without a public key infrastructurePublic key infrastructure In cryptography, a public key infrastructure is an arrangement that provides for trusted third party vetting of, and v... and X.509X.509 In cryptography, X.509 is an ITU-T standard for public key infrastructure.... certificatesCertificate-based encryption Certificate-based encryption is a system in which a certificate authority uses ID-based cryptography to produce a certificat... ; in combination with rsyncRsync rsync is a free software computer program for Unix systems which synchronizes files and directories from one location to ano... to backup, copy and mirror files efficiently and securely; in combination with SCPSecure copy Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host or between two... , as a secure alternative for rcpRcp (Unix) RCP is a command on the Unix operating systems that is used to remotely copy -- to copy one or more files from one computer ... file transfers; for port forwarding or tunneling, frequently as an alternative to a full-fledged VPN. In this type of use, a (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server), which forwards it to the other SSH party (server or client), which in turn forwards the connection to the desired destination host. The forwarded connection is encrypted and protected on the path between the SSH client and server only. Uses of SSH port forwarding include accessing database servers, email servers, securing X11, rdesktopRdesktop rdesktop is a RDP client for most Unix-like systems such as BSD and Linux.... , Windows Terminal ServicesFacts About Terminal Services Terminal Services or Terminal Server Edition is a component of Microsoft Windows NT operating systems that allows a us... and VNCFacts About Virtual Network Computing Virtual Network Computing is a desktop sharing system which uses the RFB protocol to remotely control another computer.... connections or even forwarding Windows file shares. This is primarily useful for tunneling connections through firewalls which would ordinarily block that type of connection, and for encrypting protocols which are not normally encrypted (e.g. VNC); for X11-forwarding for through multiple hosts; for generally browsing the web through an encrypted proxy connection, using the SSH server as a proxyProxy server A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to... (with an SSH client that supports dynamic port forwarding); for automated remote monitoring and management of servers; for securely mounting a directory on the server as a filesystem on the local computer, using the SSH Filesystem; as a full-fledged VPN; SSH architecture The SSH-2 protocol has a clean internal architecture (defined in RFC 4251) with well-separated layers. These are: The transport layer (RFC 4253). This layer handles initial key exchange and server authentication and sets up encryption, compression and integrity verification. It exposes to the upper layer an interface for sending and receiving plaintext packets of up to 32,768 bytes each (more can be allowed by the implementation). The transport layer also arranges for key re-exchange, usually after 1 GB of data has been transferred or after 1 hour has passed, whichever is sooner. The user authentication layer (RFC 4252). This layer handles client authentication and provides a number of authentication methods. Authentication is client-driven, a fact commonly misunderstood by users; when one is prompted for a password, it may be the SSH client prompting, not the server. The server merely responds to client's authentication requests. Widely used user authentication methods include the following: "password": a method for straightforward password authentication, including a facility allowing a password to be changed. This method is not implemented by all programs. "publickey": a method for public key-based authentication, usually supporting at least DSADigital Signature Algorithm The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures.... or RSARSA In cryptology, RSA is an algorithm for public-key encryption.... keypairs, with other implementations also supporting X.509X.509 In cryptography, X.509 is an ITU-T standard for public key infrastructure.... certificates. "keyboard-interactive" (RFC 4256): a versatile method where the server sends one or more prompts to enter information and the client displays them and sends back responses keyed-in by the user. Used to provide one-time passwordOne-time password The purpose of a one-time password is to make it more difficult to gain unauthorized access to restricted resources, like a ... authentication such as S/KeyS/KEY S/KEY is a one-time password system developed for authentication in Unix-like operating systems.... or SecurIDSecurID RSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication to a user to a network resourc... . Used by some OpenSSH configurations when PAMPluggable Authentication Modules Pluggable authentication modules or PAM are a mechanism to integrate multiple low-level authentication schemes into a ... is the underlying host authentication provider to effectively provide password authentication, sometimes leading to inability to log in with a client that supports just the plain "password" authentication method. GSSAPI authentication methods which provide an extensible scheme to perform SSH authentication using external mechanisms such as Kerberos 5 or NTLMNTLM NTLM AuthenticationNTLM is a Microsoft authentication protocol used with the SMB protocol, also known as CIFS.... , providing single sign on capability to SSH sessions. These methods are usually implemented by commercial SSH implementations for use in organizations, though OpenSSH does have a working GSSAPI implementation. The connection layer (RFC 4254). This layer defines the concept of channels, channel requests and global requests using which SSH services are provided. A single SSH connection can host multiple channels simultaneously, each transferring data in both directions. Channel requests are used to relay out-of-band channel specific data, such as the changed size of a terminal window or the exit code of a server-side process. The SSH client requests a server-side port to be forwarded using a global request. Standard channel types include: "shell" for terminal shells, SFTP and exec requests (including SCP transfers) "direct-tcpip" for client-to-server forwarded connections "forwarded-tcpip" for server-to-client forwarded connections This open architecture provides considerable flexibility, allowing SSH to be used for a variety of purposes beyond secure shell. The functionality of the transport layer alone is comparable to TLSTransport Layer Security Secure Sockets Layer and Transport Layer Security, its successor, are cryptographic protocols which provide secure co... ; the user authentication layer is highly extensible with custom authentication methods; and the connection layer provides the ability to multiplex many secondary sessions into a single SSH connection, a feature comparable to BEEPBEEP In computer networking, BEEP is a framework for creating network application protocols.... and not available in TLSTransport Layer Security Secure Sockets Layer and Transport Layer Security, its successor, are cryptographic protocols which provide secure co... . Security cautions Since SSH-1 has inherent design flaws which make it vulnerable to, e.g., man-in-the-middle attackMan-in-the-middle attack In cryptography, a man-in-the-middle attack is an attack in which an attacker is able to read, insert and modify at will, me... s, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1. While most modern servers and clients support SSH-2, some organizations still use software with no support for SSH-2, and thus SSH-1 cannot always be avoided. In all versions of SSH, it is important to verify unknown public keys before accepting them as valid. Accepting an attacker's public key as a valid public key has the effect of disclosing the transmitted password and allowing man in the middle attacks. As with any encrypted protocol, SSH can be considered a security risk by companies or governments who do not trust their users and wish to eavesdrop on their communications. Furthermore SSH has built in tunneling features which make it easier for users to achieve passage of large volumes of information or to establish an entry point for unauthorized inward access over a SSH link than with other protocols. Because of the heavy-weight feature set of the protocol, the ability to use SSH through a firewall may be a serious security risk. In addition to port forwarding, some implementations of SSH directly support Layer2 VPNs, effectively connecting two remote ethernet networks, like they were connected using a switch. Because of these problems, there are attempts to address this issue. How SSH uses public-key cryptography First, a pair of cryptographic keys is generated. One is the private key, the other is the public key. As an analogyAnalogy Analogy is either the cognitive process of transferring information from a particular subject to another particular subject,... , they can be thought of as a matching private-key and a public padlockPadlock A padlock is a simple type of detachable lock, with a hinged or sliding shackle designed to pass through a ring or staple on... . The public padlock is what is installed on the remote machine and is used by ssh to authenticate users which use the matching private key. As a user of the system, you don’t care who can see or copy the padlock (ie the public key), since only the secret private key fits it. The private key is the part you keep secret inside a secure box that can only be opened with the correct passphrasePassphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data.... . When the user wants to access a remote system, he opens the secure box with his passphrase, and uses the private-key to authenticate him with the padlock on the remote computer. Neither the passphrase nor the private key leave the user's machine. However, the user still needs to trust the local machine not to scrape his passphrase or copy his private-key while it's out of the secure box. See also Comparison of SSH clientsComparison of SSH clients An SSH client is a software program which uses the secure shell protocol to connect to a remote computer.... VNCVirtual Network Computing Virtual Network Computing is a desktop sharing system which uses the RFB protocol to remotely control another computer.... can be tunneled through SSH to securely access a remote machine that is behind a firewall CygwinCygwin Cygwin // - is a collection of free software tools originally developed by Cygnus Solutions to allow various versions of Mic... allows many Linux/BSD programs to run on Windows, including the OpenSSH client and server CorkscrewCorkscrew (program) Corkscrew enables the user to run SSH connections over most [] and [] proxy servers.... - a tool that enables a user to run SSH over HTTPSHttps https is a URI scheme which is syntactically identical to the http: scheme normally used for accessing resources using HTTP.... proxy serverProxy server Overview A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to... s Transport Layer SecurityTransport Layer Security Secure Sockets Layer and Transport Layer Security, its successor, are cryptographic protocols which provide secure co... IdentIdent The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connecti... WinSCPWinSCP WinSCP is an open source SFTP client for Microsoft Windows.... OpenSSHOpenSSH ! SSH and Computer networking\|-! Unix-like and Software licensing... PuTTYPuTTY Overview PuTTY is a free software SSH, Telnet, rlogin, and raw TCP client.... - Free Serial, TelnetTELNET TELNET is a network protocol used on the Internet or local area network LAN connections.... , and SSH client TeraTerm - Free Serial, TelnetTELNET TELNET is a network protocol used on the Internet or local area network LAN connections.... , and SSH client SSHFSSSHFS SSHFS is a file system for Linux capable of operating on files on a remote computer using just a secure shell login on the r... - Secure protocol to share files over SSH DropbearDropbear (software) ! ssh and Computer networking\|-! Unix-like and Software licensing... - Free SSH-2 client and server software useful for embedded systems Web-based SSHWeb-based SSH Summary Web-based SSH makes it possible to access Secure Shell servers through standard web browsers.... - Access to SSH servers through standard web browsers FISH - FIles transferred over SHell protocol External links (for SSH-2) - Home to the most widely used SSH implementation